Twitter's tit-for-tat struggle against clickjackers continues.
Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability. …

saga?

Explaination

Robert Simmons, the proof of concept purposely displays the iframe as it is not intended to cause any harm by tricking unsuspecting Twitter users. Is that what you meant by "not working in Safari 4?".

"By the time we stumbled on his findings, the exploit no longer worked." - As far as I can tell the exploit still works. To clarify visiting http://m.twitter.com usually results in the mobile version of Twitter being displayed, however only until a user has selected the "Standard" view using the link at the bottom of each page. The exploit would then no longer work until the users cookies are cleared (as twitter seems to store the standard/mobile preference).